Security culture research reveals few countries and industries in Asia meet the global average. Critical industries like Construction, Legal and Education score well below the global average.
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, today announced the release of its 2024 Security Culture Report. The report examines how cybersecurity measures related to the human element affect organisations and the way people act and feel at work. 
KnowBe4 defines ‘security culture’ as the ideas, customs and social behaviours that influence an organisation’s security and reduces human risk. Security culture is best understood as the collective mindset, practices and norms that shape how an organisation approaches and prioritises security.
KnowBe4's latest Security Culture Report reveals the overall security culture score globally stands at (72) a low-moderate level, and a measure based on seven different dimensions of security culture (Attitudes, Behaviours, Cognition, Communication, Compliance, Norms and Responsibilities) across regions and industries worldwide. This was unchanged from the prior year.
However, looking to Asia, the analysis reveals only a few countries and industries within the region reach the global average, pointing to a widespread lack of awareness and appreciation for the importance of security culture. In 2024 Singapore recorded a security awareness score of (72), Malaysia (71), Indonesia (65), Philippines (71), and Thailand (68). The region continues to trail Europe (73) and North America (73). The report emphasises the need for organisations in the region to invest in internal security awareness programs and collaborate to improve their overall cybersecurity posture.
Across Asia, the leading industries with security culture scores over 73 are highly regulated. They are Government (74), Energy and Utilities (74), and Banking (74). At the other end of the spectrum, industries with low security culture scores include Construction and Legal (68 for both) and Education (69). These industries are advised to focus on areas of improvement within the seven distinct security culture dimensions if they are to make a positive impact moving forward.
Globally, organisations recognise that employees are a key defence against cyberattacks and that leadership needs to adopt a top-down approach to build a strong security culture. The research highlights that organisations in Asia generally exhibit lower cybersecurity behaviour scores compared to the global average regardless of size, and they also tend to score lower on compliance measures. This trend may translate into a weaker overall cybersecurity stance, with employees being less inclined to follow security guidelines or to act in a secure manner.
KnowBe4’s Dr. Martin Kraemer - Security Awareness Advocate is concerned: "Asia's rapid digital growth, coupled with a strong manufacturing sector and a surge of new tech users, have created a digital landscape increasingly vulnerable to cyberattacks. Building and maintaining a robust security culture is no longer a luxury, but a critical business imperative. As cyberattacks continue to evolve, it’s essential for all industries, particularly those heavily targeted by cybercriminals, to prioritise this investment. By focusing on initiatives that address human-based risks, organisations can significantly strengthen their overall cybersecurity posture.”
The report addresses AI garnering significant attention but not yet impacting the nature of cyberattacks. While bad actors may exploit AI to create sophisticated social engineering tactics, the foundational structure of cyberattacks remains unaltered. This is because attacks will follow the same core formula of social engineering, armed with more efficient tools such as deepfakes and dramatically improved translations. As a result, defences against these cyberattacks would follow a consistent formula of watching out for traditional signs of social engineering. Therefore, using AI's potential to train individuals and enhance defensive measures is a strategic necessity against cybercrime.
To download a copy of KnowBe4’s 2024 Security Culture Report, visit here. KnowBe4 also offers a Security Culture How-To Guide which provides steps and a checklist for organisations to define, build and foster a strong security culture.
About KnowBe4
KnowBe4, the provider of the world’s largest security awareness training and simulated phishing platform, is used by more than 65,000 organisations around the globe. Founded by IT and data security specialist Stu Sjouwerman, KnowBe4 helps organisations address the human element of security by raising awareness about ransomware, CEO fraud and other social engineering tactics through a new-school approach to awareness training on security. The late Kevin Mitnick, who was an internationally recognised cybersecurity specialist and KnowBe4’s Chief Hacking Officer, helped design the KnowBe4 training based on his well-documented social engineering tactics. Organisations rely on KnowBe4 to mobilise their end users as their last line of defence and trust the KnowBe4 platform to strengthen their security culture and reduce human risk.
